Blogging Tools

Search all "Bits from Bill"

Monday, July 06, 2009

The Art of Malware Detection

While most people start their day with coffee and their morning paper my day is a little different. Today it was Diet Pepsi and reading what’s happening with various security threats. Thanks to Lee at http://www.scamtypes.com/ I ran into an interesting article from our friends at ESET titled, Waledac, VirusTotal and some AV fallacies.

First, if you’ve never heard of VirusTotal you’ll want to check out http://www.virustotal.com/. It’s a great tool for malware researchers and anyone trying to clean up an infected machine. VirusTotal allows you to upload a file and have it analyzed by 40 known AV programs using their current signature files.

While detection and clean up by signature files is wonderful traditional methodology it’s not perfect. As ESET points out…

“A VT report is a snapshot of a moment in time.…we use heuristic analysis and automated processes these days rather than wait for people to send us malware to analyse and insist that we write a signature for it”

ESET like many companies figured out the first step in malware/virus detection is by monitoring the behavior of programs running on your system. It was refreshing to have another industry expert elaborate on this approach. The heuristic analysis still varys from application to application.

For over 10 years this has been the approached I’ve used with my own WinPatrol program. WinPatrol was designed to detect malware and virus’s that try to embed themselves in your system. Over the years I’ve added additional unique detections like File association changes and even configuration changes like Microsoft auto update settings. Now, most AV programs use multiple levels of detection. Discovering malware and alerting users isn’t as tough as it used to be.

The challenge these days is cleaning up and removing malware. The bad guys have come up with clever ways to maintain control of their victims. The first thing they do is try and shut down popular Anti Virus programs. Luckily, while WinPatrol has a good following I’ve only run into a few programs that try and shut Scotty down. The other way to control victims is by installing anywhere from three to thirty-some programs which keep restoring each other when their partners are removed. This is another area where WinPatrols manual multi-select removal process can be handy.

This year the bad guys have come up with even more ways to trick those programs which detect and remove malware. I won’t elaborate on new techniques that aren’t widely known yet but rest assure I’m not the only one waking up and thinking of new ways to fight them.